FTC issues warnings to plug P2P security holes

From the editors and reporters of Scientific American , this blog delivers commentary, opinion and analysis on the latest developments in science and technology and their influence on society and policy. From reasoned arguments and cultural critiques to personal and skeptical takes on interesting science news, you'll find a wide range of scientifically relevant insights here. Follow on Twitter @sciam.

Larry Greenemeier is the associate editor of technology for Scientific American, covering a variety of tech-related topics, including biotech, computers, military tech, nanotech and robots. Follow on Twitter @lggreenemeier.

The U.S. government has stepped up its efforts to warn computer users about the security vulnerabilities that come with using peer-to-peer (P2P) file-sharing networks, the most popular of which today are perhaps BitTorrent and LimeWire. The Federal Trade Commission (FTC) reported Monday that it has sent letters to nearly 100 businesses, schools and government organizations warning that personal information, including sensitive data about customers and/or employees, has been shared from their computer networks and is available on P2P networks to any users of those networks. P2P users could use the personal data to commit identity theft or fraud.

P2P began as a seemingly harmless way of allowing computer users to share documents, images, music and other media files. The information flows quickly and easily from PC to PC because there’s no centralized server that needs to route network traffic. Instead, computer users make a portion of their processing power, disk storage or network bandwidth available to others on the network.

The now-defunct Napster file-sharing site illustrates both the good and bad of P2P. The site first popularized P2P in 1999 as a way for computer users to swap digital music files. Within two years, however, Napster’s capacity to facilitate the transfer of copyrighted material led to legal problems that shut down the site, although the Napster brand has since been bought and sold several times since then, most recently in 2008 by electronics retailer BestBuy.

Copyright infringement issues aside, the FTC is more concerned now with the prevalence of personal information—health-related information, financial records, drivers license numbers and social security numbers—it claims to have found floating around on P2P networks. In the letters the FTC sent to organizations leaking sensitive data via P2P networks (pdf), the commission points out at least one specific file it found that, in the wrong hands, could be used to commit fraud or identity theft.

Some see the FTC’s latest action as a long time in coming. "The FTC has been under pressure to do something for years," Eric Johnson, an operations management professor at Dartmouth College’s Tuck School of Business in Hanover, N.H., wrote in an e-mail to Scientific American. Johnson’s P2P security research has turned up confidential medical files, involving thousands of people, leaked through P2P networks. These medical files include patient billing records and insurance claims containing Social Security numbers, birth dates, medical diagnoses and psychiatric evaluations. "We have been showing that this is a significant issue for the last three years," he adds.

"FTC is finally taking it seriously and 1) warning consumers and 2) going after firms with leaks," Johnson wrote. "Data that simply leaks out of large firms—from banking to healthcare—is a bigger issue than technical hacks in many cases. Criminals simply need to know where to look."

The article states: "P2P began as a seemingly harmless way of allowing computer users to share documents, images, music and other media files. The information flows quickly and easily from PC to PC because there’s no centralized server that needs to route network traffic. Instead, computer users make a portion of their processing power, disk storage or network bandwidth available to others on the network."

This is a pretty misleading explanation of P2P. How about: P2P allows people to access each others computers as file servers.
This is not only simpler but more accurate.

I dont fully understand how sensitive data was leaked over the p2p network. Were users hosting sensitive files, or did some p2p software cause a security hole that was exploited? When you run something like napster or utorrent, it doesn’t automatically allow users to download any file they choose from your computer; you have to specify which files/folders you wish to share.

In David Scotts words, everyone needs to be a mini-Security Officer in the modern organization today. I think Mr. Scott is right: Most individuals and organizations enjoy Security largely as a matter of luck. Anyone else here reading I.T. WARS? I had to read parts of this book as part of my employee orientation at a new job. The book talks about a whole new culture as being necessary an eCulture for a true understanding of security, being that most identity/data breaches are due to simple human errors. It has great chapters on security, as well as risk, content management, project management, acceptable use, various plans and policies, and so on. Just Google IT WARS check out a couple links down and read the interview with the author David Scott at Bostons Business Forum. (Full title is I.T. WARS: Managing the Business-Technology Weave in the New Millennium).

In David Scott’s words, everyone needs to be a mini-Security Officer in the modern organization today. I think Mr. Scott is right: Most individuals and organizations enjoy Security largely as a matter of luck. Anyone else here reading I.T. WARS? I had to read parts of this book as part of my employee orientation at a new job. The book talks about a whole new culture as being necessary – an eCulture – for a true understanding of security, being that most identity/data breaches are due to simple human errors. It has great chapters on security, as well as risk, content management, project management, acceptable use, various plans and policies, and so on. Just Google IT WARS – check out a couple links down and read the interview with the author David Scott at Boston’s Business Forum. (Full title is I.T. WARS: Managing the Business-Technology Weave in the New Millennium).